SHSH blob
Encyclopedia
SHSH blobs is a Hash signature system (Signature HaSH blobs) made by Apple inc. to prevent software downgrades on iPhones
, iPads
and iPod touches
meant for Jailbreaking. An SHSH is created by an SHSH formula (CLI
Application) with 3 or 4 TSS keys- The device (e.g. iPhone 4 CDMA), the firmware signed (e.g. 4.2.8) and the device's ECID- a unique chip ID given with every device. The SHSH is given as Plist
in a SHSH format, built with blobs, each blob is intended for a different part of the software (like kernel
and Apple logo). They are ted to manage which firmware is restorable and which isn't, and when a firmware is not signed any more it is not restorable, that way users can't downgrade and jailbreak.
devices with a baseband
were always signed with a random number, (With addition of baseband TSS key) from iOS 1.0 on. When Jailbreak started to be developed, Apple has changed the LLB (Low Level Bootloader) to check the signatures on the kernel. As a combat, jailbreakers used both user-land, iBoot and Boot-ROM exploits to patch the LLB to cancel the signature checks. All devices released after iPhone 3G
check if a patched LLB is submitted and will enter hardware DFU, a DFU mode that a device can't quit unless it is restored. only an untethered Boot-ROM exploit can allow a patched LLB submission. But Without SHSH, users can downgrade and jailbreak older versions, or even jailbreak with software upgrade from an old firmware
to a newer one if an exploit is found in restore mode. On devices with an ECID, the LLB executes the boot-ROM checks for SHSH blobs.
would save SHSH files on it servers, cached from Apple, so when the Hosts files on the computers are set on Cydia's servers, iTunes
would take the cached SHSH and restore it. Another method was to save the SHSH locally on the computer. At the beginning George Hotz
saved just the iBSS/iBEC specific SHSH, then The Firmware Umbrella was released to save the SHSH in a better way and TInyTSS to send the SHSH to the iTunes restore, finally TinyUmbrella to do both and to fix iTunes errors or manage recovery mode, then iFaith to take the Signed SHSH blobs from device and finally an update to Redsn0w
to verify SHSH, query blobs from Cydia, Fetch SHSH blobs from the device, Submit blobs to Cydia
and stitch SHSH blobs to a firmware. Because of this Behavior from the side of hackers, Apple has randomized the SHSH for each restore to be different. this is referred to as a Ticket. This random number is saved on Apple's servers, so if iTunes
checks if the blobs are okay with Apple, it will know that the blobs have been requested before, and the restore wouldn't work. As of October 27, 2011, The static SHSH blobs which are given are for 4.1 for iPhone 3G,iPhone 3GS,iPod touch 2G and iPod touch 3G and 4.2.1 for iPhone 3G and iPod touch 2G. The random SHSH blobs which are given currently are for 5.0 for iPhone 3GS
, iPhone 4
, iPhone 4S
, iPad, iPad 2
, iPod touch
from 3rd generation and higher.
IPhone
The iPhone is a line of Internet and multimedia-enabled smartphones marketed by Apple Inc. The first iPhone was unveiled by Steve Jobs, then CEO of Apple, on January 9, 2007, and released on June 29, 2007...
, iPads
IPad
The iPad is a line of tablet computers designed, developed and marketed by Apple Inc., primarily as a platform for audio-visual media including books, periodicals, movies, music, games, and web content. The iPad was introduced on January 27, 2010 by Apple's then-CEO Steve Jobs. Its size and...
and iPod touches
IPod touch
The iPod Touch is a portable media player, personal digital assistant, handheld game console, and Wi-Fi mobile device designed and marketed by Apple Inc. The iPod Touch adds the multi-touch graphical user interface to the iPod line...
meant for Jailbreaking. An SHSH is created by an SHSH formula (CLI
CLI
-Computing:* Command-line interface, sending commands to a computer by text typed into a command-line interpreter .* Call Level Interface, an SQL database management API...
Application) with 3 or 4 TSS keys- The device (e.g. iPhone 4 CDMA), the firmware signed (e.g. 4.2.8) and the device's ECID- a unique chip ID given with every device. The SHSH is given as Plist
Property list
In the Mac OS X, iOS, NeXTSTEP, and GNUstep programming frameworks, property list files are files that store serialized objects. Property list files use the filename extension .plist, and thus are often referred to as p-list files....
in a SHSH format, built with blobs, each blob is intended for a different part of the software (like kernel
Kernel (computing)
In computing, the kernel is the main component of most computer operating systems; it is a bridge between applications and the actual data processing done at the hardware level. The kernel's responsibilities include managing the system's resources...
and Apple logo). They are ted to manage which firmware is restorable and which isn't, and when a firmware is not signed any more it is not restorable, that way users can't downgrade and jailbreak.
Pre-SHSH signing and the LLB
From the beginning, iOSIOS
iOS is an operating system for iPad, iPhone, iPod Touch, and Apple TV.IOS may also refer to:-Companies and organisations:* Illinois Ornithological Society, American state-based bird club...
devices with a baseband
Baseband
In telecommunications and signal processing, baseband is an adjective that describes signals and systems whose range of frequencies is measured from close to 0 hertz to a cut-off frequency, a maximum bandwidth or highest signal frequency; it is sometimes used as a noun for a band of frequencies...
were always signed with a random number, (With addition of baseband TSS key) from iOS 1.0 on. When Jailbreak started to be developed, Apple has changed the LLB (Low Level Bootloader) to check the signatures on the kernel. As a combat, jailbreakers used both user-land, iBoot and Boot-ROM exploits to patch the LLB to cancel the signature checks. All devices released after iPhone 3G
IPhone 3G
The iPhone 3G is the second generation of iPhone designed and marketed by Apple Inc.. It was the successor to the original iPhone, and is succeeded by the iPhone 3GS. Introduced on June 9, 2008 at the WWDC 2008 at the Moscone Center, San Francisco...
check if a patched LLB is submitted and will enter hardware DFU, a DFU mode that a device can't quit unless it is restored. only an untethered Boot-ROM exploit can allow a patched LLB submission. But Without SHSH, users can downgrade and jailbreak older versions, or even jailbreak with software upgrade from an old firmware
Firmware
In electronic systems and computing, firmware is a term often used to denote the fixed, usually rather small, programs and/or data structures that internally control various electronic devices...
to a newer one if an exploit is found in restore mode. On devices with an ECID, the LLB executes the boot-ROM checks for SHSH blobs.
ECID
The ECID (Unique device ID) is a unique 13-numeral number attached to the hardware of every device, and is not in use for devices that don't require SHSH blobs. Each device has its own ECID and it is not changeable. The ECID is the third TSS key when the SHSH is created and SHSH files for different ECID from the restored device will not be accepted by the device. From iOS 4.0 on, also devices which do not have they're ECID coded for SHSH blobs, that support iOS 4 and on, get SHSH blobs, but are never required for a restore.Combat
Between iOS 3.0-4.3.5, SHSHs for the main firmwares were made of 3 TSS keys- Device, Firmware version and ECID which means the SHSH file for a certain firmware and device would be the same with every restore.As a combat from the jailbreak side, CydiaCydia
Cydia is a large genus of tortrix moths, belonging to the tribe Grapholitini of subfamily Olethreutinae. Its distinctness from and delimitation versus the tribe's type genus Grapholita requires further study....
would save SHSH files on it servers, cached from Apple, so when the Hosts files on the computers are set on Cydia's servers, iTunes
ITunes
iTunes is a media player computer program, used for playing, downloading, and organizing digital music and video files on desktop computers. It can also manage contents on iPod, iPhone, iPod Touch and iPad....
would take the cached SHSH and restore it. Another method was to save the SHSH locally on the computer. At the beginning George Hotz
George Hotz
George Francis Hotz , alias geohot, million75 or simply mil, is an American hacker known for unlocking the iPhone, allowing the phone to be used with other wireless carriers, contrary to AT&T and Apple's intent...
saved just the iBSS/iBEC specific SHSH, then The Firmware Umbrella was released to save the SHSH in a better way and TInyTSS to send the SHSH to the iTunes restore, finally TinyUmbrella to do both and to fix iTunes errors or manage recovery mode, then iFaith to take the Signed SHSH blobs from device and finally an update to Redsn0w
Redsn0w
redsn0w is a free iOS jailbreaking tool developed by the iPhone Dev Team, capable of executing jailbreaks on many iOS devices by using low-level boot ROM exploits...
to verify SHSH, query blobs from Cydia, Fetch SHSH blobs from the device, Submit blobs to Cydia
Cydia
Cydia is a large genus of tortrix moths, belonging to the tribe Grapholitini of subfamily Olethreutinae. Its distinctness from and delimitation versus the tribe's type genus Grapholita requires further study....
and stitch SHSH blobs to a firmware. Because of this Behavior from the side of hackers, Apple has randomized the SHSH for each restore to be different. this is referred to as a Ticket. This random number is saved on Apple's servers, so if iTunes
ITunes
iTunes is a media player computer program, used for playing, downloading, and organizing digital music and video files on desktop computers. It can also manage contents on iPod, iPhone, iPod Touch and iPad....
checks if the blobs are okay with Apple, it will know that the blobs have been requested before, and the restore wouldn't work. As of October 27, 2011, The static SHSH blobs which are given are for 4.1 for iPhone 3G,iPhone 3GS,iPod touch 2G and iPod touch 3G and 4.2.1 for iPhone 3G and iPod touch 2G. The random SHSH blobs which are given currently are for 5.0 for iPhone 3GS
IPhone 3GS
-Camera:The iPhone 3GS features an improved 3 megapixel camera manufactured by OmniVision. In addition to the higher megapixel count, it also features auto-focus, auto white balance and auto macro and is capable of capturing VGA video...
, iPhone 4
IPhone 4
The iPhone 4 is a touchscreen slate smartphone developed by Apple Inc. It is the fourth generation iPhone, and successor to the iPhone 3GS. It is particularly marketed for video calling , consumption of media such as books and periodicals, movies, music, and games, and for general web and e-mail...
, iPhone 4S
IPhone 4S
The iPhone 4S is a touchscreen slate smartphone developed by Apple Inc. It is the fifth generation of the iPhone, a device that combines a widescreen iPod with a touchscreen, mobile phone, and internet communicator. It retains the exterior design of its predecessor, iPhone 4, but is host to a range...
, iPad, iPad 2
IPad 2
The iPad 2 is the second and current generation of the iPad, a tablet computer designed, developed and marketed by Apple. It serves primarily as a platform for audio-visual media including books, periodicals, movies, music, games, presentations and web content, and is available in black or white...
, iPod touch
IPod touch
The iPod Touch is a portable media player, personal digital assistant, handheld game console, and Wi-Fi mobile device designed and marketed by Apple Inc. The iPod Touch adds the multi-touch graphical user interface to the iPod line...
from 3rd generation and higher.